Feb 022017

— The list of entities reporting that employee W-2 data was acquired by phishing.–

Last year, this site compiled 145 W-2 phishing incidents before I somewhat waved a white flag in terms of trying to keep up, but as I started working on this year’s list, I found even more cases from 2016, bringing the 2016 list to 175 reports.

Let’s see how 2017 goes. Expect reports to come in over the next months (not weeks, but months, and perhaps throughout the year). Here’s the list I’ve got so far for 2017, and it will be updated as I become aware of new incidents.  Steve Ragan of Salted Hash has indicated that he will keep track, too, so do check his space also for additional information. As of March 13, Steve estimates 120,000 affected for the 110 incidents we had as of that date.

Note: DataBreaches.net would like to thank the Identity Theft Resource Center and Doug Levin, who both have also been helping find and track these incidents.

  1. Dracut Schools [662 (FOIA response)]
  2. Tipton County Schools 
  3. Odessa School District [“hundreds of employees”]
  4. Campbell County Health  [1,400]
  5. Marin Software
  6. UGI Utilities [1,900]
  7. Sunrun [a “a substantial portion” of 4,000 employees]
  8. Lexington School District Two (SC)
  9. Mercedes Independent School District (TX) [950]
  10. eHealthInsurance (eHealth, Inc.)
  11. Kuhana Associates
  12. Point Coupee Hospital [200]
  13. Morton School District (IL)
  14. Scotty’s Brewhouse (IN) [4,000]
  15. Mitchell Gold + Bob Williams [1,100]
  16. Persante Health Care
  17. TransPerfect Global
  18. Davidson County Schools (NC)
  19. Belton Independent School District (TX) [1,700]
  20. Argyle School District (TX)
  21. Renovate America (CA)
  22. Manatee County School District [7,900]
  23. Anchor Packaging
  24. Distribution International
  25. Sky Climber, LLC
  26. College of Southern Idaho [2500]
  27.  West Michigan Whitecaps [230]
  28. Adventist Health Tehachapi Valley [Updated to 253]
  29. Verc Enterprises, Inc.
  30. Monarch Beverage (IN)
  31. Corsicana Independent School District
  32. Alton Steel [300]
  33. Mohave Community College
  34. City of Twinsburg, Ohio [500]
  35. Showpay, LLC
  36. SouthEast Alaska Regional Health Consortium
  37. Land Title Guarantee Company
  38. AmTote Intl [350]
  39. Sweeney Drywall Finishes Corp.
  40. Mercer County Schools (WVa) [1800]
  41. Patrick Industries [4,700]
  42. Bloomington Public Schools (MN) [1800]
  43. NEO Tech
  44. Petro 49 
  45. Klondex Gold & Silver Mining
  46. Frosch International Travel
  47. Citizens Memorial Hospital 
  48. Driveline Retail
  49. Northwestern College (IA)
  50. Asbury Communities [3,000]
  51. TrustComm, Inc.
  52. Verato, Inc. (data were in “encrypted” format)
  53. TrueNet Communications [506] 
  54. Pacific Biosciences (corrected)
  55. Bentley Truck Services
  56. Tate Access Floors [7]
  57. Accolade, Inc.
  58. ABNB Federal Credit Union (got 2015 data, but not requested 2016 data)
  59. MBA Consulting Services [2015 data]
  60. Goode Compliance International (? )
  61. Vecellio Group
  62. Astadia, Inc.
  63. Ashland University
  64. Maxor National Pharmacy Services
  65. Virginian Wesleyan College
  66. Amplify Education
  67. Black River Falls School District [478]
  68. Trenton R-9 School District [260]
  69. Barron Area School District [431]
  70. American Senior Communities* (IN) [“more than 17,000”]
  71. Crotched Mountain Foundation [~1000]
  72. Mount Healthy City Schools [600]
  73. Meridian Health Services [1200]
  74. Viskase Companies, Inc. [590]
  75. InterMountain Management, LLC
  76. Cayan
  77. LEAF Commercial Capital, Inc.
  78. Gardiner & Appel (Phishing?)
  79. North Carolina Symphony [262]
  80. Ellwood Thompson’s Local Market  [360]
  81. Civitas Media
  82. San Antonio Symphony [250]
  83. Abernathy Independent School District
  84. The Amalgamated Sugar Company, LLC [2,858]
  85. Tab Products Co., LLC
  86. Vintage Realty Company (2015 and 2016)
  87. Redmond School District [~1000]
  88. North Ridgeville Beckett Air [~200]
  89.  Independence School District 
  90. Wisenbaker Building Services
  91. Autoneum North America Inc.  [2,400]
  92. Northeast Ohio Regional Sewer District** [~900]
  93. MetWest Terra Hospitality
  94. Yukon Public Schools
  95. Allied Minds, LLC
  96. Aero Air
  97. Groton Public Schools [1300]
  98. MAM Software [81]
  99. Tyler Independent School District  
  100. Glastonbury Public Schools [1600]
  101. Equian LLC (and subsidiaries, Nurse Audit LLC) 
  102. Weidenhammer [~180]
  103. Alabama State Port Authority [780]
  104. Joseph-Beth
  105. ProScan Imaging, LLC
  106. PCA Skin
  107. Ark City School District – USD 470
  108. Berkley Mid-Atlantic Group
  109. Dawson
  110. BBB Industries, LLC***
  111. Geokinetics
  112. ADF International 
  113. Dairy Management, Inc (sent inquiry as to W-2 phishing)
  114. QualiChem, Inc [84]
  115. Toscano Clements Taylor [36]
  116. Ben Bolt Independent School District [150]
  117. Arkansas City USD 470 [“dozens,” but not all]
  118. NSC Technologies, LLC
  119. City of San Marcos [803]
  120. Colorado Nonprofit Development Center
  121. Defense Point Security, LLC 
  122. SolutionsIQ, Inc.
  123. Biomedical Systems Corp.
  124. American Tire Distributors
  125. J.N. Phillips Company (and subsidiaries Windshield Centers LLC and Strategic Claim Services, Inc.)
  126. Palm Bay International
  127.  Powhatan County Public Schools [905]
  128. Coupa [625]
  129. Walton School District [30]
  130. Schurman Retail Group
  131. Kettle Cuisine [351]
  132. Federal Process Corporation (.docx file)
  133. Temptronic Corp (subsidiary of inTEST)
  134. inMoment, Inc.
  135. AmQuip Crane Rental, LLC
  136. netPolarity, Inc.
  137. Araca Group
  138. Mollie Stone’s Markets
  139. Ameriflight, LLC
  140. Great Falls Holdings
  141. Spaulding Youth Center
  142. Envelopes Unlimited
  143. Sarnova, Inc.
  144. TriTech Software Systems
  145. Berg, LLC
  146. Westminster College (MO)
  147. Dutchland Plastics (424)
  148. Dental Services Group
  149. Solera Holdings
  150. CFG Community Bank
  151. National Safety Council
  152. TIC Gums, Inc. and Specialty Blends, Inc. [got 2015 and 2016 data]
  153. LookingGlass Cyber Solutions Inc. 
  154. Taconic Biosciences, Inc. 
  155. Huckstep Holdings Corp. (d/b/a TechWise)
  156. Bostwick Laboratories 
  157. Merchant Metals, Inc. 
  158. The Grove, Inc. (TGI) 
  159. CapTech 
  160. Jenner & Block LLP 
  161. ABS Associates 
  162. Shulman Rogers 
  163. Teletrac Navman 
  164. GKIC 
  165. Biothera Pharmaceuticals 
  166. Atlas Container 
  167. MGH, Inc. 
  168. Neosho County Community College 
  169. Atlantic Coast Mortgage, LLC (W-2’s and 1095-C’s) 
  170. Clean Advantage and Advantage Waste 
  171. AmTote International 
  172. Monoflo International 
  173. Pro-Vigil 
  174. Frost & Sullivan 
  175. INSYS Group 
  176. Peak Alarm Company 
  177. Columbia Association 
  178. Medical Depot, Inc. 
  179. E.T. Rockville, E.T. Staffing, & E.T. Holdings [360] 
  180. Kettle Cuisine [351] 
  181. Vectorworks 
  182. American Pest (2015 and 2016 data) 
  183. Mary T. Inc. (MTI) 
  184. San Diego Christian College 
  185. Colony American Finance, LLC 
  186. TransCen 
  187. Calmark Group (2015 data) 
  188. Cross Street Partners 
  189. IntelePeer Holdings 
  190. C.A. Short 
  191. Intact Technology 
  192. B.C. Ziegler and Company [145]***
  193. Alignstaffing and RehabPlus Staffing Group, Inc. 
  194. Toole Design Group 
  195. The Connections Therapy Center 
  196. Community Assistance Network 
  197. National Older Worker Career Center (2015 and 2016 data) 
  198. Aisthesis 
  199. GetWellNetwork 
  200. VT Industries Vertical Bridge***** 
  201. DiCentral Corporation
  202. Pacific Quest
  203. Paratransit
  204. Pacific Science Center
  205. Quatro Composites (290)

* Unnamed payroll processor fell for phish.
** Two employees separately fell for the phish and sent out W-2 data.
*** Note: this is NOT “the Better Business Bureau”
**** Although the file with W-2 information was sent, it was password-protected.
***** Employee had recently received training in recognizing phishing attempts

  21 Responses to “Victims of W-2 phishing scams (2017 list)”

  1. I had a call from someone posing to work for Walgreens said that he didnt work in the store was a floater wanted to change my prescription refills from 30 to 90 days got really bad with all the hacking I had that month in November, had to get rid of my email, contacts and grandchildrens pics and facebook. Gave the info to Walgreens as I felt there was a person standing by the register doing something with his “phone” watching everyone as they were in line. When I left the store, reporting the incident that happened on the phone I notified corporate. They never got back to me although I opened a case, called three times. Of course it may be an inside job, I believe it is, have all the info as I document heavily. So sad to see whats happening to my childrens world, I dont have an email any more by choice

  2. I think I have found a few others, as I have been tracking security issues related to K-12 school districts specifically. Running list at: https://www.edtechstrategies.com/blog/irs-phishing/

    • Thanks, Doug. I checked your list.
      There are three that you list that I didn’t have on mine. One is from today: Bloomington, which I hadn’t picked up yet – thanks!
      But the other two you list that I don’t have are not from 2017. They were both last year: the Olympia School District one and the Maine school one (Brunswick).

      So my count for k-12 schools is now at 13 for this year so far.

      Please do let me know if you find others that you think I’ve missed. I appreciate all help.

  3. Citizens Memorial Hospital??

    • Yes. I added them earlier today. Did you read the linked article? Why the “??” in your comment?

      • It hadn’t yet been added to the phishing list when I first saw it.

        I’d also like to give a shout out to the Montana AG’s office for their updated listings – great new source for breaches!

        • Ah, now I understand. Yeah, I check Montana’s list every day… and the other state lists that I know about. If you see something in a media report that I might miss, do let me know.

    • Yeah, I had picked that one up, too.

      Was just totalling what we’ve got so far for where we do have numbers (which is less than half of the incidents). Already more than 57,000 affected.

  4. Tab Products Co.

    Please know that I am just trying to lend an ear (eye?) to finding all of these crazy breaches.


  5. Thank you so much for adding links to breaches #51 – #58! I was having difficulty trying to find sources for those…


Sorry, the comment form is closed at this time.